My indexes don't show up in the Web UI and I don't understand what causes that. I have an idea why this happens but I don't understand the how and want to get clear on that and find if there is a way to correct that.
I have two distinct instances of Splunk installed that run independently EXCEPT that one of these two instances acts as the Deployment Server for the pair. I have applications that have servers designated to have their Forwarder connect with one of these two instances. Since an app can span the two, the Deployment Server is used to setup the outputs.conf, inputs.conf and indexes.conf (among other things) for these two instances. When I create a new index, I define it in the $SPLUNK_HOME/etc/deployment-apps/indexer_base on the Deployment Server which then informs the Indexers they have an update to apply and the index gets created and data starts getting put into them after the appropriate inputs.conf work is done on this server as well.
Since the indexes are not being created with the Web UI, I suspect this is why (in a round-about way) they do not show up in Manager >> Indexes. This has not really been a problem for me or my users until this week when one of the applications using Splunk wanted to use summary indexing and use their own summary index.
I created the index as I typically do; I reload the deploy-server and restart the Indexers and the new index shows up on the file system. But when my user tries to add summary indexing to his Saved Searh, the index does not show up in the list of indexes. The only thing there are those indexes that have been defined within the Web UI. The only Saved Search that currently uses this new summary index is the one that I added to that search in the 'savedsearch.conf' for that app.
I don't want to have to manually manage these and more of our apps will want to use summary indexing and most will want to use their own summary index. Is there a way that I can get these to show up in the Web UI or am I required to do this work manually as I have for this one functioning Saved Search?
With the assistance and follow thru of Kevin Meeks (Splunk Sales Engineer), the reason has been found. In using the Deployment Server to manage my indexes, the indexes are never defined in Splunk in a way that the Splunk Web UI "knows" about them. This is not a factor when an index is created using the Web UI as it is created by Splunk in a way that is is available for Splunk to display it. To see the indexes created via the Deployment Server from the command line as I am doing, I would need to bring up the Web UI on my Indexers and then Splunk Web UI will "know" about them and display them.
As I can get to the information I want by other means, I am choosing not to do that and keeping my Indexers as "pure"Indexers with no splunkweb running on them. I will continue to use the other methods of data collection and reporting about the index data.
Wondering if there is another solution other than logging into the Indexer's UI?
As a developer, the solution that comes to my mind is to allow the admin to indicate to Splunk in some config file that the indexes are deployed and not local and it gets the index info from the indexers.
With the assistance and follow thru of Kevin Meeks (Splunk Sales Engineer), the reason has been found. In using the Deployment Server to manage my indexes, the indexes are never defined in Splunk in a way that the Splunk Web UI "knows" about them. This is not a factor when an index is created using the Web UI as it is created by Splunk in a way that is is available for Splunk to display it. To see the indexes created via the Deployment Server from the command line as I am doing, I would need to bring up the Web UI on my Indexers and then Splunk Web UI will "know" about them and display them.
As I can get to the information I want by other means, I am choosing not to do that and keeping my Indexers as "pure"Indexers with no splunkweb running on them. I will continue to use the other methods of data collection and reporting about the index data.